b'                      AUDIT REPORT\n\nAudit of NRC\xe2\x80\x98s Progress in Carrying Out the \xe2\x80\x9525 Point Implementation Plan to Reform\n                  Federal Information Technology Management\xe2\x80\x96\n\n\n                      OIG-13-A-09         January 23, 2013\n\n\n\n\n   All publicly available OIG reports (including this report) are accessible through\n                                 NRC\xe2\x80\x98s Web site at:\n                http:/www.nrc.gov/reading-rm/doc-collections/insp-gen/\n\x0c                                 UNITED STATES\n                         NUCLEAR REGULATORY COMMISSION\n                                 WASHINGTON, D.C. 20555-0001\n\n\n\nOFFICE OF THE\nINSPECTOR GENERAL\n\n\n                                          January 23, 2013\n\n\n\nMEMORANDUM TO:              R. William Borchardt\n                            Executive Director for Operations\n\n\n\nFROM:                       Stephen D. Dingbaum /RA/\n                            Assistant Inspector General for Audits\n\n\nSUBJECT:                    AUDIT OF NRC\xe2\x80\x99S PROGRESS IN CARRYING OUT THE\n                            \xe2\x80\x9c25 POINT IMPLEMENTATION PLAN TO REFORM\n                            FEDERAL INFORMATION TECHNOLOGY MANAGEMENT\xe2\x80\x9d\n                            (OIG-13-A-09)\n\n\nAttached is the Office of the Inspector General\xe2\x80\x99s (OIG) audit report titled, Audit of NRC\xe2\x80\x99s\nProgress in Carrying Out the \xe2\x80\x9c25 Point Implementation Plan to Reform Federal\nInformation Technology Management.\xe2\x80\x9d\n\nThe report presents the results of the subject audit. Following the December 18, 2012,\nexit conference, agency staff indicated that they had no formal comments for inclusion\nin this report.\n\nPlease provide information on actions taken or planned on each of the\nrecommendations within 30 days of the date of this memorandum. Actions taken or\nplanned are subject to OIG followup as stated in Management Directive 6.1.\n\nWe appreciate the cooperation extended to us by members of your staff during the\naudit. If you have any questions or comments about our report, please contact me at\n415-5915 or Beth Serepca, Team Leader, Security and Information Management Team,\nat 415-5911.3\n\nAttachment: As stated\n\x0cAudit of NRC\xe2\x80\x98s Progress in Carrying Out the \xe2\x80\x9525 Point Implementation Plan to Reform Federal Information Technology Management\n\n\n\n\nExecutive Summary\n\n         Background\n\n                  The U.S. Nuclear Regulatory Commission (NRC) invests in a broad range\n                  of information technology (IT) products and services to perform its\n                  mission. Some IT investments support business activities such as\n                  financial, administrative, and human resource management. Others\n                  support core regulatory activities related to nuclear security, reactor\n                  safety, and nuclear materials and waste safety. In addition, investments\n                  such as IT security and infrastructure services support activities across\n                  NRC\xe2\x80\x98s organizational lines. Despite rapidly changing IT security threats\n                  and increased reliance on IT to accomplish the agency\xe2\x80\x98s mission, NRC\n                  faces the Governmentwide challenge of declining budgets. For example,\n                  NRC spent $164.7 million on IT in Fiscal Year (FY) 2011, but has\n                  budgeted $151.4 million for IT in FY 2013\xe2\x80\x94a decline of approximately 8\n                  percent.\n\n                  As a representative of the Office of Management and Budget (OMB), the\n                  U.S. Chief Information Officer (CIO) has encouraged NRC and other\n                  Federal agencies to \xe2\x80\x95do more with less.\xe2\x80\x96 In December 2010, the U.S. CIO\n                  promulgated the \xe2\x80\x9525 Point Implementation Plan to Reform Federal\n                  Information Technology Management\xe2\x80\x96 (25-Point Plan).1 The 25-Point\n                  Plan tasked NRC and other agencies with undertaking specific\n                  management reforms and policy changes within 6-, 12-, and 18-month\n                  timeframes.2 NRC\xe2\x80\x94by itself or in conjunction with other Federal agencies\n                  and OMB\xe2\x80\x94was responsible for carrying out the following 10 action items:\n\n                            Action Item 1: Complete detailed implementation plans to\n                            consolidate 800 data centers by 2015.\n\n\n\n\n1\n For a complete list and indepth discussion of these initiatives, reference the \xe2\x80\x9525 Point Implementation\nPlan to Reform Federal Information Technology Management,\xe2\x80\x96 U.S. Chief Information Officer, December\n9, 2010.\n2\n The 25-Point Plan assigns responsibility for some initiatives to the General Services Administration,\nSmall Business Administration, Office of Personnel Management, and OMB.\n\n                                                             i\n\x0cAudit of NRC\xe2\x80\x98s Progress in Carrying Out the \xe2\x80\x9525 Point Implementation Plan to Reform Federal Information Technology Management\n\n\n\n\n                            Action Item 3: Shift to a \xe2\x80\x95Cloud First\xe2\x80\x963 policy.\n\n                            Action Item 8: Scale IT program management career path.\n\n                             Action Item 13: Design and develop a cadre of specialized IT\n                            acquisition professionals.\n\n                            Action Item 17: Work with Congress to create IT budget models\n                            that align with modular development.\n\n                            Action Item 19: Work with Congress to scale flexible IT budget\n                            models more broadly.\n\n                            Action Item 20: Work with Congress to consolidate commodity IT4\n                            spending under the agency CIO.\n\n                            Action Item 21: Reform and strengthen Investment Review Boards.\n\n                            Action Item 22: Redefine the role of agency CIO and the Federal\n                            CIO Council.\n\n                            Action Item 23: Roll out \xe2\x80\x95TechStat\xe2\x80\x965 model at the bureau level.\n\n                  NRC Organizations Responsible for Carrying Out the 25-Point Plan\n\n                  Several offices have participated in responding to 25-Point Plan action\n                  items. NRC\xe2\x80\x98s Office of Information Services has played an active role,\n                  particularly in response to action items focused on IT infrastructure\n                  planning and budgeting. The Office of Administration has played a role in\n                  action items pertaining to contracting and acquisitions. Lastly, NRC\xe2\x80\x98s\n\n\n3\n  \xe2\x80\x95Cloud\xe2\x80\x96 computing aims to enable convenient, on-demand access to a shared pool of computing\nresources such as networks, servers, applications, storage, and services. The National Institute of\nStandards and Technology identifies the following essential cloud features: on-demand service, broad\nnetwork access, resource pooling, rapid elasticity, and measured service.\n4\n \xe2\x80\x95Commodity IT\xe2\x80\x96 refers to generic products and services such as e-mail, content management systems,\nand Web infrastructure.\n5\n  \xe2\x80\x95TechStat\xe2\x80\x96 reviews are evidence-based evaluations designed to identify IT program weaknesses and\ndevelop plans for improvement. TechStat reviews can also help identify failed IT programs for early\ntermination.\n\n                                                             ii\n\x0cAudit of NRC\xe2\x80\x98s Progress in Carrying Out the \xe2\x80\x9525 Point Implementation Plan to Reform Federal Information Technology Management\n\n\n\n\n                  Deputy Executive Director for Corporate Management serves as the\n                  agency\xe2\x80\x98s Chief Information Officer, and oversees the agency\xe2\x80\x98s IT strategic\n                  planning.\n\nObjective\n\n                  The audit objective was to evaluate NRC\xe2\x80\x98s progress in carrying out the \xe2\x80\x9525\n                  Point Implementation Plan to Reform Federal Information Technology\n                  Management.\xe2\x80\x96 Appendix A contains information on the audit scope and\n                  methodology.\n\nResults in Brief\n\n                  OIG auditors evaluated NRC\xe2\x80\x98s performance in carrying out the 10 action\n                  items for which the agency was responsible. Based on this work, auditors\n                  concluded that NRC had met its obligations for these action items, but\n                  developed findings and recommendations to improve the agency\xe2\x80\x98s IT\n                  management in areas related to the following three action items:\n\n                  Action Item 21 (IT Investment Review Boards) Finding:\n\n                            \xef\x83\x98 NRC does not review performance of non-major IT investments,\n                              as defined by OMB.\n\n                  Action Item 13 (IT acquisition cadres) Finding:\n\n                            \xef\x83\x98 NRC has specialized IT acquisition professionals, but has not\n                              institutionalized current training and retention best practices.\n\n                  Action Item 1 (Data center consolidation) Findings:\n\n                            \xef\x83\x98 NRC does not include all data centers in consolidation plans.\n\n                            \xef\x83\x98 NRC did not perform alternatives analysis for the 3WFN data\n                              center.\n\n\n\n\n                                                             iii\n\x0cAudit of NRC\xe2\x80\x98s Progress in Carrying Out the \xe2\x80\x9525 Point Implementation Plan to Reform Federal Information Technology Management\n\n\n\n\n                  NRC Does Not Review Performance of Non-Major IT Investments, as\n                  Defined by OMB\n\n                  OMB has directed Federal agencies to apply the TechStat model to review\n                  performance of IT investments. NRC has implemented TechStat, but only\n                  uses it to review major IT investments as defined by OMB. NRC does not\n                  apply the TechStat model to non-major IT investments because the\n                  agency has recently restructured its Investment Review Boards, and the\n                  initial TechStat focus has been placed on major IT investments, which are\n                  fewer in number and higher in total value than non-major IT investments.\n                  Consequently, without reviewing non-major IT investments, NRC may\n                  miss opportunities to improve performance and cost-effectiveness of these\n                  investments.\n\n                  NRC Has Specialized IT Acquisition Professionals, but Has Not\n                  Institutionalized Current Training and Retention Best Practices\n\n                  OMB has directed Federal agencies to design and develop a cadre of\n                  specialized IT acquisition professionals by providing specific training, on-\n                  the-job experience, and mentoring. Although NRC has a branch of IT\n                  acquisition specialists who are encouraged to pursue training in this field,\n                  NRC has not institutionalized current training and retention best practices\n                  for these staff. This occurs because OMB approved NRC\xe2\x80\x98s 2012\n                  acquisition human capital plan,6 which did not include details about staff\n                  training. Without institutionalized best practices, NRC faces challenges in\n                  training and retaining specialized IT acquisition professionals.\n\n                  NRC Does Not Include All Data Centers in Consolidation Plans\n\n                  Action Item 1 of the 25-Point Plan directs Federal agencies to comply with\n                  the Consolidation Initiative, which requires Federal agencies to inventory\n                  their data center assets and develop data center consolidation plans.\n                  However, NRC has limited its data center count to three headquarters\n                  facilities, excluding data centers in its regional offices and Technical\n\n\n\n6\n  Each Federal agency covered by the Chief Financial Officers Act is required to develop an annual\nAcquisition Human Capital Plan as a means to improve the strategic management of the agency\xe2\x80\x98s\nacquisition workforce. A template developed by OMB\xe2\x80\x98s Office of Federal Procurement Policy and the\nFederal Acquisition Institute is used to gather information about each agency\xe2\x80\x98s acquisition workforce.\n\n\n                                                             iv\n\x0cAudit of NRC\xe2\x80\x98s Progress in Carrying Out the \xe2\x80\x9525 Point Implementation Plan to Reform Federal Information Technology Management\n\n\n\n\n                  Training Center. This has occurred because OMB has promulgated\n                  different definitions of \xe2\x80\x95data center,\xe2\x80\x96 and NRC has interpreted OMB\n                  guidance to exclude regional data centers. Without a complete data\n                  center count, NRC may miss opportunities to identify potential cost\n                  savings that could be realized through expanding its data center\n                  consolidation efforts.\n\n                  NRC Did Not Perform Alternatives Analysis for the 3WFN Data Center\n\n                  Federal guidance instructs agencies to consider alternatives to in-house\n                  data hosting when formulating data center consolidation plans. NRC built\n                  a new data center in the Three White Flint North building (3WFN) to\n                  consolidate some headquarters data centers, but did not perform an\n                  alternatives analysis prior to undertaking the project. NRC staff did not\n                  perform an alternatives analysis to include external hosting for the 3WFN\n                  data center because senior management had committed to moving\n                  existing data centers to 3WFN early in the planning phase. As result, the\n                  3WFN data center was built with extra capacity that may not be used.\n\n         Recommendations\n\n                  This report makes four recommendations to improve the agency\xe2\x80\x98s plan to\n                  reform its information technology management. A consolidated list of\n                  these recommendations appears in Section IV of this report.\n\n\nAGENCY COMMENTS\n\n                  An exit conference was held with the agency on December 18, 2012. At\n                  this meeting, agency management stated their general agreement with the\n                  findings and recommendations in this report and opted not to provide\n                  formal comments for inclusion in this report.\n\n\n\n\n                                                             v\n\x0cAudit of NRC\xe2\x80\x98s Progress in Carrying Out the \xe2\x80\x9525 Point Implementation Plan to Reform Federal Information Technology Management\n\n\n\n\nABBREVIATIONS AND ACRONYMS\n\n                  CIO                 Chief Information Officer\n                  FY                  Fiscal Year\n                  IT                  Information Technology\n                  IT Board            Information Technology/Information Management Board\n                  NRC                 Nuclear Regulatory Commission\n                  OIG                 Office of the Inspector General\n                  OIS                 Office of Information Services\n                  OMB                 Office of Management and Budget\n                  3WFN                Three White Flint North\n\n\n\n\n                                                             vi\n\x0cAudit of NRC\xe2\x80\x98s Progress in Carrying Out the \xe2\x80\x9525 Point Implementation Plan to Reform Federal Information Technology Management\n\n\n\n\nTABLE OF CONTENTS\n\nEXECUTIVE SUMMARY.................................................................................................. i\n\nABBREVIATIONS AND ACRONYMS ............................................................................. vi\n\nI.       BACKGROUND .................................................................................................... 1\n\nII.      OBJECTIVE ......................................................................................................... 3\n\nIII.     FINDINGS ............................................................................................................ 3\n\n         A. NRC DOES NOT REVIEW PERFORMANCE OF NON-MAJOR IT\n            INVESTMENTS, AS DEFINED BY OMB ........................................................ 4\n\n         B. NRC HAS SPECIALIZED IT ACQUISITION PROFESSIONALS, BUT\n            HAS NOT INSTITUTIONALIZED CURRENT TRAINING AND RETENTION\n            BEST PRACTICES ......................................................................................... 7\n\n         C. NRC DOES NOT INCLUDE ALL DATA CENTERS IN\n            CONSOLIDATION PLANS ............................................................................ 11\n\n         D. NRC DID NOT PERFORM ALTERNATIVES ANALYSIS FOR THE\n            3WFN DATA CENTER .................................................................................. 13\n\nIV.      CONSOLIDATED LIST OF RECOMMENDATIONS........................................... 16\n\nV.       AGENCY COMMENTS ...................................................................................... 17\n\nAPPENDIX\n\n         A. OBJECTIVE, SCOPE AND METHODOLOGY .............................................. 18\n\n\n\n\n                                                             vii\n\x0cAudit of NRC\xe2\x80\x98s Progress in Carrying Out the \xe2\x80\x9525 Point Implementation Plan to Reform Federal Information Technology Management\n\n\n\n\nI. BACKGROUND\n\n                  The U.S. Nuclear Regulatory Commission (NRC) invests in a broad range\n                  of information technology (IT) products and services to perform its\n                  mission. Some IT investments support business activities such as\n                  financial, administrative, and human resource management. Others\n                  support core regulatory activities related to nuclear security, reactor\n                  safety, and nuclear materials and waste safety. In addition, investments\n                  such as IT security and infrastructure services support activities across\n                  NRC\xe2\x80\x98s organizational lines. Despite rapidly changing IT security threats\n                  and increased reliance on IT to accomplish the agency\xe2\x80\x98s mission, NRC\n                  faces the Governmentwide challenge of declining budgets. For example,\n                  NRC spent $164.7 million on IT in Fiscal Year (FY) 2011, but has\n                  budgeted $151.4 million for IT in FY 2013\xe2\x80\x94a decline of approximately 8\n                  percent.\n\n                  As a representative of the Office of Management and Budget (OMB), the\n                  U.S. Chief Information Officer (CIO) has encouraged NRC and other\n                  Federal agencies to \xe2\x80\x95do more with less.\xe2\x80\x96 In December 2010, the U.S. CIO\n                  promulgated the \xe2\x80\x9525 Point Implementation Plan to Reform Federal\n                  Information Technology Management\xe2\x80\x96 (25-Point Plan).7 The 25-Point\n                  Plan tasked NRC and other agencies with undertaking specific\n                  management reforms and policy changes within 6-, 12-, and 18-month\n                  timeframes.8 NRC\xe2\x80\x94by itself or in conjunction with other Federal agencies\n                  and OMB\xe2\x80\x94was responsible for carrying out the following 10 action items:\n\n                            Action Item 1: Complete detailed implementation plans to\n                            consolidate 800 data centers by 2015.\n\n                            Action Item 3: Shift to a \xe2\x80\x95Cloud First\xe2\x80\x969 policy.\n\n\n7\n For a complete list and indepth discussion of these initiatives, reference the \xe2\x80\x9525 Point Implementation\nPlan to Reform Federal Information Technology Management,\xe2\x80\x96 U.S. Chief Information Officer, December\n9, 2010.\n8\n The 25-Point Plan assigns responsibility for some initiatives to the General Services Administration,\nSmall Business Administration, Office of Personnel Management, and OMB.\n9\n  \xe2\x80\x95Cloud\xe2\x80\x96 computing aims to enable convenient, on-demand access to a shared pool of computing\nresources such as networks, servers, applications, storage, and services. The National Institute of\nStandards and Technology identifies the following essential cloud features: on-demand service, broad\nnetwork access, resource pooling, rapid elasticity, and measured service.\n\n                                                             1\n\x0cAudit of NRC\xe2\x80\x98s Progress in Carrying Out the \xe2\x80\x9525 Point Implementation Plan to Reform Federal Information Technology Management\n\n\n\n\n                            Action Item 8: Scale IT program management career path.\n\n                            Action Item 13: Design and develop a cadre of specialized IT\n                            acquisition professionals.\n\n                            Action Item 17: Work with Congress to create IT budget models\n                            that align with modular development.\n\n                            Action Item 19: Work with Congress to scale flexible IT budget\n                            models more broadly.\n\n                            Action Item 20: Work with Congress to consolidate commodity IT10\n                            spending under the agency CIO.\n\n                            Action Item 21: Reform and strengthen Investment Review Boards.\n\n                            Action Item 22: Redefine the role of agency CIO and the Federal\n                            CIO Council.\n\n                            Action Item 23: Roll out \xe2\x80\x95TechStat\xe2\x80\x9611 model at the bureau level.\n\n                  NRC Organizations Responsible for Carrying Out the 25-Point Plan\n\n                  Several offices have participated in responding to 25-Point Plan action\n                  items. NRC\xe2\x80\x98s Office of Information Services (OIS) has played an active\n                  role, particularly in response to action items focused on IT infrastructure\n                  planning and budgeting. The Office of Administration has played a role in\n                  action items pertaining to contracting and acquisitions. Lastly, NRC\xe2\x80\x98s\n                  Deputy Executive Director for Corporate Management serves as the\n                  agency\xe2\x80\x98s Chief Information Officer, and oversees the agency\xe2\x80\x98s IT strategic\n                  planning.\n\n\n\n\n10\n  \xe2\x80\x95Commodity IT\xe2\x80\x96 refers to generic products and services such as e-mail, content management systems,\nand Web infrastructure.\n11\n  \xe2\x80\x95TechStat\xe2\x80\x96 reviews are evidence-based evaluations designed to identify IT program weaknesses and\ndevelop plans for improvement. TechStat reviews can also help identify failed IT programs for early\ntermination.\n\n                                                             2\n\x0cAudit of NRC\xe2\x80\x98s Progress in Carrying Out the \xe2\x80\x9525 Point Implementation Plan to Reform Federal Information Technology Management\n\n\n\n\nII. OBJECTIVE\n\n                  The audit objective was to evaluate NRC\xe2\x80\x98s progress in carrying out the \xe2\x80\x9525\n                  Point Implementation Plan to Reform Federal Information Technology\n                  Management.\xe2\x80\x96 Appendix A contains information on the audit scope and\n                  methodology.\n\n\n\nIII. FINDINGS\n\n                  OIG auditors evaluated NRC\xe2\x80\x98s performance in carrying out the 10 action\n                  items for which the agency was responsible. Based on this work, auditors\n                  concluded that NRC had met its obligations for these action items, but\n                  developed findings and recommendations to improve the agency\xe2\x80\x98s IT\n                  management in areas related to the following three action items:\n\n                  Action Item 21 (IT Investment Review Boards) Finding:\n\n                            \xef\x83\x98 NRC Does Not Review Performance of Non-Major IT\n                              Investments, as Defined by OMB.\n\n                  Action Item 13 (IT acquisition cadres) Finding:\n\n                            \xef\x83\x98 NRC Has Specialized IT Acquisition Professionals, but Has Not\n                              Institutionalized Current Training and Retention Best Practices.\n\n                  Action Item 1 (Data center consolidation) Findings:\n\n                            \xef\x83\x98 NRC Does Not Include All Data Centers in Consolidation Plans.\n\n                            \xef\x83\x98 NRC Did Not Perform Alternatives Analysis for the 3WFN Data\n                              Center.\n\n                  Background information explaining each action item appears at the start of\n                  each action item finding section of this report.\n\n\n\n\n                                                             3\n\x0cAudit of NRC\xe2\x80\x98s Progress in Carrying Out the \xe2\x80\x9525 Point Implementation Plan to Reform Federal Information Technology Management\n\n\n\n\n                  Background for Action Item 21 Finding: IT Investment Review Boards\n\n                  Action Item 21 of the 25-Point Plan directs Federal agencies to reform and\n                  strengthen IT Investment Review Boards, which were created to control\n                  and evaluate the results of major IT investments. However, according to\n                  OMB, Investment Review Boards have failed to establish successful IT\n                  programs and correct unsuccessful ones because the review process has\n                  focused on short, broad-based reviews of each Federal agency\xe2\x80\x98s entire IT\n                  investment portfolio. To remedy this, OMB has required Federal agencies\n                  to implement the \xe2\x80\x95TechStat\xe2\x80\x96 model at the agency level. TechStat reviews\n                  entail indepth analysis of IT investments to measure their performance\n                  and identify corrective actions if needed. OMB expects this approach to\n                  improve agencies\xe2\x80\x98 IT performance management, expedite intervention in\n                  failing IT programs, and focus OMB\xe2\x80\x98s attention on a limited number of\n                  highest-priority cases.\n\n                  NRC has two Investment Review Boards that help the agency manage IT\n                  investment. The Information Technology Executive Portfolio Council\n                  (Portfolio Council) includes seven NRC office directors and is co-chaired\n                  by NRC\xe2\x80\x98s Chief Information Officer and Chief Financial Officer. The\n                  Information Technology/Information Management Board (IT Board)\n                  includes representatives from OIS, the Computer Security Office, and\n                  NRC program offices.\n\n                  A. NRC Does Not Review Performance of Non-Major IT Investments,\n                     as Defined by OMB\n\n                  OMB has directed Federal agencies to apply the TechStat model to review\n                  performance of IT investments. NRC has implemented TechStat, but only\n                  uses it to review major IT investments as defined by OMB. NRC does not\n                  apply the TechStat model to non-major IT investments because the\n                  agency has recently restructured its Investment Review Boards, and the\n                  initial TechStat focus has been placed on major IT investments, which are\n                  fewer in number and higher in total value than non-major IT investments.\n                  Consequently, without reviewing non-major IT investments, NRC may\n                  miss opportunities to improve performance and cost-effectiveness of these\n                  investments.\n\n\n\n\n                                                             4\n\x0cAudit of NRC\xe2\x80\x98s Progress in Carrying Out the \xe2\x80\x9525 Point Implementation Plan to Reform Federal Information Technology Management\n\n\n\n\n                  Federal Agencies Are To Apply the TechStat Model to Review\n                  Performance of IT Investments\n\n                  OMB has directed Federal agencies to apply the TechStat model to review\n                  performance of IT investments. To facilitate this, OMB has provided\n                  guidance for conducting TechStat reviews. Federal agencies have some\n                  flexibility in selecting IT investments for review, but OMB guidance states\n                  that agencies should select investments for review based on data from\n                  agency performance management systems, congressional testimony, and\n                  other information sources.\n\n                  NRC Has Implemented TechStat, but Only Reviews Major IT Investments\n\n                  NRC has implemented TechStat, but only reviews major IT investments.\n                  OMB defines a major investment as follows:\n\n                            Major IT Investment means a program requiring\n                            special management attention because of its\n                            importance to the mission or function of the agency,\n                            a component of the agency, or another organization;\n                            has significant program or policy implications; has high\n                            executive visibility; has high development, operating,\n                            or maintenance costs; is funded through other than\n                            direct appropriations; or is defined as major by the\n                            agency\xe2\x80\x98s capital planning and investment control\n                            process. OMB may work with the agency to declare\n                            other investments as major investments\xe2\x80\xa6Investments\n                            not considered \xe2\x80\x97major\xe2\x80\x98 are \xe2\x80\x97non-major.\xe2\x80\x98\n\n                  NRC considers nine of its IT systems as major investments, and these\n                  investments account for approximately 72 percent of NRC\xe2\x80\x98s estimated\n                  $151 million FY 2013 IT budget. Not included in NRC\xe2\x80\x98s TechStat reviews\n                  are 23 non-major investments, which account for approximately 28\n                  percent of the agency\xe2\x80\x98s IT spending.\n\n\n\n\n                                                             5\n\x0cAudit of NRC\xe2\x80\x98s Progress in Carrying Out the \xe2\x80\x9525 Point Implementation Plan to Reform Federal Information Technology Management\n\n\n\n\n                  NRC Has Restructured Investment Review Boards, and Initial Focus Has\n                  Been on Major IT Investments\n\n                  NRC does not apply the TechStat model to non-major IT investments\n                  because the agency has recently restructured its Investment Review\n                  Boards, and the initial TechStat focus has been placed on major IT\n                  investments, which are fewer in number and higher in total value than\n                  non-major IT investments. NRC created a Portfolio Council and an IT\n                  Board in early 2012 to replace existing IT governance organizations, and\n                  each was created with new charters. The Portfolio Council is tasked with\n                  approving major IT investments. The IT Board, which is composed of\n                  representatives from OIS and other NRC offices, supports the Portfolio\n                  Council and reviews the performance of major IT investments. Non-major\n                  IT investments do not fall under the purview of these new organizations as\n                  described in their charters.\n\n                  Without Reviewing Non-Major IT Investments, NRC May Miss\n                  Opportunities To Improve Performance\n\n                  Without reviewing non-major IT investments, NRC may miss opportunities\n                  to improve the performance and cost-effectiveness of these investments.\n                  Though it is prudent to scrutinize high-dollar-value programs, NRC\xe2\x80\x98s 23\n                  non-major investments collectively compose approximately one-quarter of\n                  NRC\xe2\x80\x98s IT spending. NRC staff who are responsible for IT planning\n                  expressed concern to OIG about the lack of management visibility over\n                  non-major IT investments. Given the fiscal constraints NRC faces and the\n                  resulting pressure on IT budgets, NRC could benefit significantly from\n                  cost-effectiveness improvements in multiple non-major investments.\n                  Savings from improved or terminated non-major IT investments could be\n                  used to support higher priority IT investments.\n\n                  Recommendation\n\n                  OIG recommends that the Executive Director for Operations:\n\n                            1. Review non-major IT investments in applying the TechStat\n                               model.\n\n\n\n\n                                                             6\n\x0cAudit of NRC\xe2\x80\x98s Progress in Carrying Out the \xe2\x80\x9525 Point Implementation Plan to Reform Federal Information Technology Management\n\n\n\n\n                  Background for Action Item 13 Finding: Development of Specialized\n                  IT Acquisition Cadres\n\n                  Action Item13 of the 25-Point Plan calls for Federal agencies to design\n                  and develop cadres of specialized IT acquisition professionals. According\n                  to OMB, the lag time between when the Federal Government defines its IT\n                  requirements and when the contractor actually delivers the required IT\n                  product may allow technology to change substantially. Consequently,\n                  Federal IT acquisitions may become outdated by the time they are\n                  implemented. To address this problem, OMB directed Federal agencies\n                  to design and develop a cadre of specialized IT acquisition professionals\n                  by strengthening staff IT acquisition skills through classroom training, on-\n                  the-job experience, and mentorship. By strengthening skills of IT\n                  acquisition staff, OMB expects Federal agencies to expedite complex IT\n                  acquisitions.\n\n                  In July 2011, OMB released guidance on designing and developing a\n                  cadre of specialized IT acquisition professionals. The guidance describes\n                  how agencies can design and organize a cadre of contracting\n                  professionals, program managers, and contracting officer representatives\n                  to ensure their functions work closely together throughout the contracting\n                  process to achieve program goals. The OMB guidance also describes\n                  how agencies can strengthen the skills and capabilities of staff in their\n                  specialized acquisition cadres. Furthermore, the guidance requires senior\n                  agency managers to work with each other to create strategies and best\n                  practices in recruiting and retaining IT acquisition professionals.\n\n                  B. NRC Has Specialized IT Acquisition Professionals, but Has Not\n                     Institutionalized Current Training and Retention Best Practices\n\n                  OMB has directed Federal agencies to design and develop a cadre of\n                  specialized IT acquisition professionals by providing specific training, on\n                  the job experience, and mentoring. Although NRC has a branch of IT\n                  acquisition specialists who are encouraged to pursue training in this field,\n                  NRC has not institutionalized current training and retention best practices\n                  for these staff. This occurs because OMB approved NRC\xe2\x80\x98s 2012\n\n\n\n\n                                                             7\n\x0cAudit of NRC\xe2\x80\x98s Progress in Carrying Out the \xe2\x80\x9525 Point Implementation Plan to Reform Federal Information Technology Management\n\n\n\n\n                  acquisition human capital plan,12 which did not include details about staff\n                  training. Without institutionalized best practices, NRC faces challenges in\n                  training and retaining specialized IT acquisition professionals.\n\n                  Federal Agencies Are To Design and Develop a Cadre of IT Acquisition\n                  Professionals\n\n                  OMB has directed Federal agencies to design and develop a cadre of IT\n                  acquisition professionals by providing specific training, on the job\n                  experience, and mentoring. Additional guidance released by OMB in July\n                  2011 specifically required that agencies\xe2\x80\x98 senior managers13 work with\n                  each other in developing strategies and best practices for recruiting and\n                  retaining IT acquisition professionals.\n\n                  NRC Has a Cadre of IT Acquisition Professionals, but Has Not\n                  Institutionalized Training and Retention Best Practices\n\n                  Although NRC has a branch of IT acquisition specialists who are\n                  encouraged to pursue training in this field, NRC has not institutionalized\n                  current training and retention best practices for these staff. Contract\n                  specialists rotate within their division to gain exposure to different types of\n                  contracting, while taking contracting coursework to obtain Federal\n                  acquisition certification in contracting.14 The first level of certification does\n                  not require specialization such as IT acquisition. Additionally, contract\n                  specialists working in IT acquisition can take elective coursework and\n                  attend IT conferences that are geared towards IT acquisition\n                  specialization, yet this training is not required. Although NRC has\n                  implemented mentoring, on-the-job training, and other human resource\n                  practices to develop IT acquisition staff, NRC officials acknowledged that\n                  these best practices have not been formalized in their office policy.\n\n\n\n12\n  Each Federal agency covered by the Chief Financial Officers Act is required to develop an annual\nAcquisition Human Capital Plan as a means to improve the strategic management of the agency\xe2\x80\x98s\nacquisition workforce. A template developed by OMB\xe2\x80\x98s Office of Federal Procurement Policy and the\nFederal Acquisition Institute is used to gather information about each agency\xe2\x80\x98s acquisition workforce.\n13\n  These senior managers include the Chief Acquisition Officer, Chief Information Officer, and Chief\nHuman Capital Officer.\n14\n  Federal Acquisition Certification \xe2\x80\x93 Contracting (FAC \xe2\x80\x93 C) has three levels. Each level is attainable\nthrough educational content and work experience in Government contracting.\n\n\n                                                             8\n\x0cAudit of NRC\xe2\x80\x98s Progress in Carrying Out the \xe2\x80\x9525 Point Implementation Plan to Reform Federal Information Technology Management\n\n\n\n\n                  OMB Approved NRC\xe2\x80\x98s Human Capital Plan, Which Did Not Include Details\n                  About Staff Training\n\n                  NRC has not institutionalized training and retention best practices\n                  because OMB approved NRC\xe2\x80\x98s human capital plan, which did not include\n                  details about staff training. In March 2012, NRC submitted its annual\n                  Acquisition Human Capital Plan for 2012 to OMB, but the document had\n                  no specific description of plans to train and retain IT acquisition\n                  professionals. NRC staff stated that guidance from OMB did not specify\n                  requirements for formalized training of IT acquisition staff, and that nothing\n                  in OMB guidance implicitly or explicitly suggested it. OIG auditors did not\n                  find any information suggesting that OMB provided feedback or followup\n                  guidance for cultivating cadres of dedicated IT acquisition professionals.\n\n                  Without Institutionalizing Current Best Practices, NRC Faces Challenges\n                  in Training and Retaining IT Acquisition Staff\n\n                  NRC is pursuing an aggressive strategic acquisition initiative, and will\n                  need highly skilled acquisition professionals to support its efforts. Without\n                  an institutionalized development program for IT acquisition professionals,\n                  NRC faces challenges in training and retaining qualified personnel to\n                  provide these services. It would be prudent to formalize current best\n                  practices for staff training so that best practices can be sustained in the\n                  face of potential pressure from management changes or resource\n                  constraints. Additionally, developing and retaining staff with expertise in\n                  IT acquisition is especially important as NRC relies increasingly on IT to\n                  carry out its mission.\n\n                  Recommendation\n\n                  OIG recommends that the Executive Director for Operations:\n\n                            2. Incorporate into existing policy procedures for developing IT\n                            acquisition professionals, to include training courses, on-the-job-\n                            experience, and mentoring based on OMB guidance.\n\n\n\n\n                                                             9\n\x0cAudit of NRC\xe2\x80\x98s Progress in Carrying Out the \xe2\x80\x9525 Point Implementation Plan to Reform Federal Information Technology Management\n\n\n\n\n                  Background for Action Item 1 Findings: Data Center Consolidation\n\n                  Action Item 1 of the 25-Point Plan calls for agencies to complete detailed\n                  data center consolidation plans in accordance with the Federal Data\n                  Center Consolidation Initiative (the Consolidation Initiative). In February\n                  2010, OMB launched the Consolidation Initiative and issued guidance for\n                  Federal CIO Council15 agencies. The guidance called for agencies to\n                  inventory their data center assets, develop consolidation plans throughout\n                  FY 2010, and integrate those plans into their FY 2012 budget\n                  submissions.\n\n                  The Consolidation Initiative is aimed at assisting agencies in identifying\n                  their existing data center assets and formulating detailed consolidation\n                  plans that include a technical roadmap and clear consolidation targets.\n                  This effort aims to reduce the number of data centers across the Federal\n                  Government and assist agencies in applying best practices from the public\n                  and private sector, with goals to:\n\n                            \xe2\x80\xa2 Promote the use of \xe2\x80\x95Green IT\xe2\x80\x96 by reducing the overall energy and\n                            real estate footprint of Federal Government data centers.\n\n                            \xe2\x80\xa2 Reduce the cost of data center hardware, software, and\n                            operations.\n\n                            \xe2\x80\xa2 Increase the overall IT security posture of the Government.\n\n                            \xe2\x80\xa2 Shift IT investments to more efficient computing platforms and\n                            technologies.\n\n                  In its reports to OMB, NRC counts three data centers located in the\n                  agency\xe2\x80\x98s headquarters complex. NRC has built an additional data center\n                  inside a new headquarters building, which the agency will use to\n                  consolidate offices that are spread across multiple facilities. The new data\n                  center includes controls to monitor and adjust temperature, lighting, and\n\n\n\n\n15\n   The Federal CIO Council is the principal interagency forum to improve agency practices\non such matters as the design, modernization, use, sharing, and performance of agency\ninformation resources.\n\n                                                            10\n\x0cAudit of NRC\xe2\x80\x98s Progress in Carrying Out the \xe2\x80\x9525 Point Implementation Plan to Reform Federal Information Technology Management\n\n\n\n\n                  electricity use. In addition to building a more energy efficient data center,\n                  NRC is working to reduce data center power consumption through server\n                  virtualization.16\n\n                  One alternative to hosting data centers at an agency\xe2\x80\x98s facilities is external\n                  hosting. The 25-Point Plan directs Federal agencies to explore external\n                  hosting options through \xe2\x80\x95Cloud First\xe2\x80\x96 policies,17 according to which\n                  agencies outsource data processing to a commercial service provider or to\n                  another Federal agency with the capability to act as a \xe2\x80\x95cloud\xe2\x80\x96 service\n                  provider.\n\n                  C. NRC Does Not Include All Data Centers in Consolidation Plans\n\n                  Action Item 1 of the 25-Point Plan directs Federal agencies to comply with\n                  the Consolidation Initiative, which requires Federal agencies to inventory\n                  their data center assets and develop data center consolidation plans.\n                  However, NRC has limited its data center count to three headquarters\n                  facilities, excluding data centers in its regional offices and Technical\n                  Training Center. This has occurred because OMB has promulgated\n                  different definitions of \xe2\x80\x95data center,\xe2\x80\x96 and NRC has interpreted OMB\n                  guidance to exclude regional data centers. Without a complete data\n                  center count, NRC may miss opportunities to identify potential cost\n                  savings that could be realized through expanding its data center\n                  consolidation efforts.\n\n                  OMB\xe2\x80\x98s Data Center Consolidation Initiative Requires Federal Agencies To\n                  Provide a Count of All Data Centers They Host\n\n                  Action Item 1 of the 25-Point Plan directs Federal agencies to comply with\n                  the Consolidation Initiative, which requires Federal agencies to inventory\n                  their data center assets and develop data center consolidation plans. The\n                  Consolidation Initiative\xe2\x80\x98s first data center definition in October 2010 was\n                  \xe2\x80\x95any room greater than 500 square feet in area devoted to data\n                  processing, and meeting a tier (I, II, III, & IV) classification defined by the\n\n\n\n16\n  Virtualization is a technology that uses software to run multiple virtual machines with different operating\nsystems on a single physical server.\n17\n  Adopting \xe2\x80\x95Cloud First\xe2\x80\x96 policies is Action Item 3 of the 25-Point Plan. To comply with this action item,\nNRC has adopted cloud-based capital planning software, teleconferencing service, and emergency\nnotification service.\n\n                                                            11\n\x0cAudit of NRC\xe2\x80\x98s Progress in Carrying Out the \xe2\x80\x9525 Point Implementation Plan to Reform Federal Information Technology Management\n\n\n\n\n                  Uptime Institute.\xe2\x80\x9618 This guidance was supplemented by data center\n                  consolidation planning guides and templates, as well as a \xe2\x80\x95Frequently\n                  Asked Questions\xe2\x80\x96 document that expanded the data center definition to\n                  include server closets greater than 200 square feet, scientific and test lab\n                  servers, and field office data centers. OMB updated its data center\n                  inventory guidance March 2012 to eliminate the square footage metric,\n                  and include any \xe2\x80\x95closet, room, floor or building for the storage,\n                  management, and dissemination of data and information.\xe2\x80\x9619\n\n                  NRC Has Limited Its Data Center Count to Headquarters Facilities\n\n                  In NRC\xe2\x80\x98s annual reports to OMB on Consolidation Initiative compliance,\n                  NRC has limited its data center count to three headquarters facilities.\n                  NRC has not counted data centers located at its regional offices and its\n                  Technical Training Center.\n\n                  NRC Interpretation of OMB Guidance Has Limited NRC\xe2\x80\x98s Data Center\n                  Count\n\n                  NRC has counted only three headquarters data centers in its reports to\n                  OMB because OMB has promulgated different definitions of \xe2\x80\x95data center,\xe2\x80\x96\n                  and NRC has interpreted OMB guidance to exclude regional data centers.\n                  As noted above, OMB has defined \xe2\x80\x95data center\xe2\x80\x96 at least two different\n                  ways, and initial 2010 criteria were supplemented by multiple guidance\n                  documents that added more detail to these criteria. In their interpretation\n                  of OMB\xe2\x80\x98s guidance, NRC staff told OIG auditors that OMB\xe2\x80\x98s intent was\n                  presumed to include only three main headquarters data centers that run\n                  \xe2\x80\x95enterprise-wide\xe2\x80\x96 applications.\n\n                  Without Complete Data Center Count, NRC May Not Identify Potential\n                  Cost Savings\n\n                  Without a complete data center count, NRC may miss opportunities to\n                  identify potential cost savings that could be realized through expanding its\n\n\n18\n  The Uptime Institute is an organization that develops technical standards for data center operations.\nTier I-IV ratings reflect various elements of a data center\xe2\x80\x98s infrastructure that allow it to maintain\noperations. Tier IV\xe2\x80\x94the highest rating\xe2\x80\x94refers to data centers with capabilities to withstand unplanned,\nworst-case infrastructure failure with no critical load impact.\n19\n  This definition excludes spaces devoted exclusively to communications and network equipment, such\nas telecommunications rooms.\n\n                                                            12\n\x0cAudit of NRC\xe2\x80\x98s Progress in Carrying Out the \xe2\x80\x9525 Point Implementation Plan to Reform Federal Information Technology Management\n\n\n\n\n                  data center consolidation efforts. Indeed, one of the main objectives of\n                  the Consolidation Initiative is to reduce the number of data centers\n                  operated by Federal agencies as means to reduce costs and adopt more\n                  efficient computing platforms. Facility consolidation and server\n                  virtualization offer potential efficiencies, but NRC staff cannot measure the\n                  costs and benefits of these alternatives\xe2\x80\x94and make well-informed plans\n                  for the future\xe2\x80\x94without an accurate analysis of its data center inventory.\n\n                  Recommendation\n\n                  OIG recommends that the Executive Director for Operations:\n\n                            3. Include all NRC data center infrastructure as currently defined\n                               by OMB in data center consolidation planning and reporting to\n                               OMB.\n\n                  D. NRC Did Not Perform Alternatives Analysis for the 3WFN Data\n                     Center\n\n                  Federal guidance instructs agencies to consider alternatives to in-house\n                  data hosting when formulating data center consolidation plans. NRC built\n                  a new data center in the Three White Flint North building (3WFN) to\n                  consolidate some headquarters data centers, but did not perform an\n                  alternatives analysis prior to undertaking the project. NRC staff did not\n                  perform an alternatives analysis to include external hosting for the 3WFN\n                  data center because senior management had committed to moving\n                  existing data centers to 3WFN early in the planning phase. As result, the\n                  3WFN data center was built with extra capacity that may not be used.\n\n                  Agencies Should Consider Alternatives to In-House Data Hosting When\n                  Formulating Data Center Consolidation Plans\n\n                  Federal guidance instructs agencies to consider alternatives to in-house\n                  data hosting when formulating data center consolidation plans.\n                  Consolidation Initiative implementation guidance20 issued by the Federal\n                  CIO Council explicitly states this principle, and adds that agencies should\n\n20\n  In February 2010, the Administration launched the Federal Data Center Consolidation Initiative\n(FDCCI) and issued guidance for Federal CIO Council agencies. The guidance called for agencies to\ninventory their data center assets, develop consolidation plans throughout fiscal year 2010, and integrate\nthose plans into agency fiscal year 2012 budget submissions.\n\n\n                                                            13\n\x0cAudit of NRC\xe2\x80\x98s Progress in Carrying Out the \xe2\x80\x9525 Point Implementation Plan to Reform Federal Information Technology Management\n\n\n\n\n                  maximize departmentwide services, interagency sharing, co-location and\n                  virtualization if \xe2\x80\x95in-house\xe2\x80\x96 solutions are deemed necessary for\n                  performance or security reasons. Moreover, the Clinger-Cohen Act of\n                  1996 requires Federal agencies to analyze IT investments to help\n                  maximize the value and manage the risk of these investments.\n\n                  NRC Did Not Perform Alternatives Analysis for New Data Center\n\n                  NRC built a new data center in 3WFN to consolidate some headquarters\n                  data centers, but did not perform an alternatives analysis prior to\n                  undertaking the project. In 2010, NRC staff provided the Commission with\n                  a cost estimate for including a data center in the 3WFN office building, and\n                  a contractor performed a data center construction cost estimate before\n                  3WFN building plans were available. However, neither of these estimates\n                  were based upon actual building plans, nor did they examine alternatives\n                  to in-house data hosting. Then, in early 2012\xe2\x80\x94more than 2 years after\n                  NRC had committed to moving its data center to 3WFN\xe2\x80\x94NRC undertook\n                  an alternatives analysis that included market research of various data\n                  hosting options. Figure 3 shows a section of the 3WFN data center at one\n                  point during construction.\n\nFigure 3: New Data Center Construction in Progress\n\n\n\n\nSource: NRC.\n\n                                                            14\n\x0cAudit of NRC\xe2\x80\x98s Progress in Carrying Out the \xe2\x80\x9525 Point Implementation Plan to Reform Federal Information Technology Management\n\n\n\n\n                  NRC Senior Management Committed to New Data Center Without\n                  Alternatives Analysis\n\n                  NRC staff did not perform an alternatives analysis that included external\n                  hosting for the 3WFN data center because senior management had\n                  committed to moving existing data centers to 3WFN early in the project\n                  planning phase. NRC signed a lease with the General Services\n                  Administration in October 2009 for the new 3WFN building,21 and NRC\n                  staff subsequently analyzed costs of building a data center in 3WFN.\n                  Based on this analysis, the Commission approved $12.5 million for design\n                  and construction of a new data center in 3WFN, and directed staff to\n                  complete NRC\xe2\x80\x98s move into the new data center in FY 2013.\n\n                  NRC 3WFN Data Center Was Built With Spare Capacity\n\n                  The 3WFN data center was built with spare capacity that may not be used.\n                  The new data center was built with infrastructure to accommodate up to\n                  184 server racks if needed,22 which includes additional electrical and\n                  cooling systems. NRC currently plans to use 90 server racks, and is\n                  considering alternatives to in-house data hosting that would eliminate the\n                  need to nearly double its physical server count. Emerging budget and\n                  space usage constraints bear heavily on NRC\xe2\x80\x98s data center consolidation\n                  plans, so careful analysis of alternatives to in-house data hosting will be\n                  particularly important in adopting the most cost-effective solution to NRC\xe2\x80\x98s\n                  data center needs.\n\n                  Recommendation\n\n                  OIG recommends that the Executive Director for Operations:\n\n                            4. Create short- and long-term plans for the 3WFN data center, to\n                            include review of external hosting options and cloud computing\n                            service providers per OMB guidance.\n\n\n\n\n21\n  This lease calls for construction of an office building with infrastructure such as heating, plumbing,\nelectricity, and fire suppression. NRC was responsible for additional \xe2\x80\x95tenant improvements\xe2\x80\x96 such as a\ndata center.\n22\n  NRC built additional server infrastructure into the 3WFN data center to avoid renovation costs in case\nextra server capacity became necessary at some point in the future.\n\n                                                            15\n\x0cAudit of NRC\xe2\x80\x98s Progress in Carrying Out the \xe2\x80\x9525 Point Implementation Plan to Reform Federal Information Technology Management\n\n\n\n\nIV. Consolidated List of Recommendations\n\n                  OIG recommends that the Executive Director for Operations:\n\n                            1. Review non-major IT investments in applying the TechStat\n                            model.\n\n                            2. Incorporate into existing policy procedures for developing IT\n                            acquisition professionals, to include training courses, on-the-job-\n                            experience, and mentoring based on OMB guidance.\n\n                            3. Include all NRC data center infrastructure as currently defined\n                            by OMB in data center consolidation planning and reporting to\n                            OMB.\n\n                            4. Create short- and long-term plans for the 3WFN data center, to\n                            include review of external hosting options and cloud computing\n                            service providers per OMB guidance.\n\n\n\n\n                                                            16\n\x0cAudit of NRC\xe2\x80\x98s Progress in Carrying Out the \xe2\x80\x9525 Point Implementation Plan to Reform Federal Information Technology Management\n\n\n\n\nV. AGENCY COMMENTS\n\nAn exit conference was held with the agency on December 18, 2012. At this meeting,\nagency management stated their general agreement with the findings and\nrecommendations in this report and opted not to provide formal comments for inclusion\nin this report.\n\n\n\n\n                                                            17\n\x0cAudit of NRC\xe2\x80\x98s Progress in Carrying Out the \xe2\x80\x9525 Point Implementation Plan to Reform Federal Information Technology Management\n\n\n\n\n                                                                                                            Appendix A\nOBJECTIVE, SCOPE, AND METHODOLOGY\n\n                  OBJECTIVE\n\n                  The audit objective was to evaluate NRC\xe2\x80\x98s progress in carrying out the \xe2\x80\x9525\n                  Point Implementation Plan to Reform Federal Information Technology\n                  Management.\xe2\x80\x96\n\n                  SCOPE\n\n                  The audit reviewed NRC\xe2\x80\x98s activities related to 25-Point Plan action items\n                  for which the agency was responsible, with special emphasis on IT\n                  investment review boards, IT acquisition cadres, and data center\n                  consolidation. OIG conducted this performance audit from April 2012\n                  through October 2012 at NRC headquarters in Rockville, MD. To address\n                  the audit objective, OIG auditors conducted multiple interviews of NRC\n                  staff representing the Office of Information Services, Computer Security\n                  Office, and Office of Administration. Auditors also conducted interviews\n                  with staff representing NRC\xe2\x80\x98s regional offices.\n\n                  METHODOLOGY\n\n                  OIG reviewed the \xe2\x80\x9525 Point Implementation Plan to Reform Federal\n                  Information Technology Management,\xe2\x80\x96 and other pertinent NRC and\n                  Federal Government guidance including:\n\n                                 NRC IT Investment Review Board charters and TechStat\n                                 documentation.\n                                 OMB cloud computing guidance.\n                                 OMB Office of Federal Procurement Policy guidance.\n                                 OMB Federal Data Center Consolidation Initiative guidance.\n                                 OMB Chief Information Officer authorities guidance.\n                                 OMB Circular A-130.\n                                 Federal CIO Council best practice and lessons learned\n                                 documents.\n\n                  OIG also analyzed documents used in planning and budgeting for NRC\xe2\x80\x98s\n                  3WFN data center, and a data center services alternative analysis study.\n\n\n                                                            18\n\x0cAudit of NRC\xe2\x80\x98s Progress in Carrying Out the \xe2\x80\x9525 Point Implementation Plan to Reform Federal Information Technology Management\n\n\n\n\n                  We conducted this performance audit in accordance with generally\n                  accepted government auditing standards. Those standards require that\n                  we plan and perform the audit to obtain sufficient, appropriate evidence to\n                  provide a reasonable basis for our findings and conclusions based on our\n                  audit objective. We believe that the evidence obtained provides a\n                  reasonable basis for our findings and conclusions based on our audit\n                  objective.\n\n                  The audit work was conducted by Beth Serepca, Team Leader; Paul\n                  Rades, Audit Manager; Melissa Schermerhorn, Senior Analyst; and\n                  Avinash Jaigobind, Analyst.\n\n\n\n\n                                                            19\n\x0c'